drow: inject code and hook the entrypoint of ELF executable
drow
drow is a command-line utility that is used to inject code and hook the entrypoint of ELF executables (post-build). It takes unmodified ELF executables as input and exports a modified ELF containing an embedded user-supplied payload that executes at runtime.
Slightly more detail …
Drow takes the following steps to create the new patched ELF:
- Map in the unmodified target ELF executable and the user-supplied payload, a position-independent blob
- Locate the first executable segment by parsing program headers
- Locate the last section in the executable segment by parsing section headers
- Expand the last section (in the segment) section header’s sh_size and program header’s p_memsz/p_filesz by the size of the user-supplied payload
- Fixup section headers’ sh_offset‘s and program headers’ p_offset‘s (move down sections and segments to make room for the payload and a small “stager stub”)
- Fix offsets in the ELF header (e_shoff, e_phoff, etc..)
- Modify the ELF header e_entry (ELF entrypoint offset) to point to the injected code
- Create a new ELF containing the injected code and modified ELF headers
In addition to injecting the user-supplied payload, drow injects a small code stub that is prepended to the beginning of the payload. This stub is designed to call into the payload. If the payload is written to return to the caller, after the payload returns the stager then tailcalls into _start, restoring execution so the program can run as intended.
Install
sudo apt install gcc scon
git clone https://github.com/zznop/drow.git
cd drow
scon
Use
Copyright (c) 2020 zznop0x90@gmail.com
Source: https://github.com/zznop/
